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(54) VerHiable, secrot shuffles of encrypted data, such as elgamal encrypted data for secura 
multi-authority elections 



0 



(57) A cryptographte process permits one to vehfla- 
bly shuffle a series of input data elements. One or more 
authorities or individuals "shuffle" or "anonymize" the in- 
put data (e.g. public keys in discrete log fomn or EIGamal 
encrypted ballot data). The process includes a validity 
construction that prevents any one or more of the author- 



ities or Individuals from making any changes to the orig- 
inal data without being discovered by anyone auditing a 
resulting proof transcript. The shuffling may be perf omfied 
at various times. In the election example, the shuffling 
may be perfonned, e.g., after ballots are collected or dur- 
ing the registration or ballot request phase of the election, 
thereby anonymizing the identities of the voters. 
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Description 

CROSS-REFERENCE TO RELATED APPLICATIONS 

[00011 This application claims the benefit of U.S. Provisional Patent Applications Nos. 60/191 ,785. filed March 24. 
2000 and 60/252.376, filed November 21 . 2000. both entitled "Verifiable, Secret Shuffles of El-Gamal Encrypted Data." 
and 60/268,551, filed February 14. 2001, entitled "Verifiable, Secret Shuffles of El-Gainal Encrypted Data for Secure 
Multi-Authority Elections." all by the same inventor and currently pending. 



TECHNICAL FIELD 

[00021 The following relates generally to encryption, and more specifically to electronic encryption such as for use in 
voting schemes. 

BACKGROUND AND SUMMARY 

[00031 The notion of a shuffle of a collection of objects, records, ortokens is simple and intuitive, and useful examples 
abound in various daily human actlvfties. A gambler in a casino Itnows that when he picks up his hand of cards, each 
one will be one of 52 unique values, and that no one else at the table will have duplicates of the ones he holds. He does 
not. however, have any knowledge of how the cards are distributed, even though he may have recorded the exact card 
order before they were shuffled by the dealer. 

[00041 In the context of electronte data, the problem of achieving the same kind of random, yet verifiable permutation 
of an input sequence is surprisingly difficult. The problem is that the data itself is either always visible to the audrtor, or 
it isnt If it Is then the correspondence between input records and output records is trivial to reconstruct by the auditor 
or other observer. If It isn't, then input and output records must be different representations of the same underlying data 
Butif the output is dlfferentenough (that is. encrypted well enough)thatthe audltorcannotreconstructthe correspondence, 
then how can the auditor be sure that the shuffler did not change the underlying data In the process of shuffling? 

[00051 Most of the description below is devoted to giving an efficient (linear) method for solving this problem In an 
important context — EIGamal encrypted data. In order to make the exposition as dear and concise as possible, the 
majority of the description below explicitly refers to the specifto case where operations are carried out In Z,, the 
multiplfcative group of units modulo a large prime, p. However, the only properties of the underlying (multlplfeative) group 
used is that the associated EIGamal ctyptosystem should be secure, and that the Chaum-Pedersen protocol for the 
relation log X= log^ /= u (D. Chaum. Zero-knowledge undeniable signatures. Advances In Cryptology - EUROCRYPT 
•90 Lecture Notes in Computer Science, volume 473, pages 458-464, Springer-Verlag. 1991. D. Chaum and T.P. 
Pedersen. Wallet Databases With Observers. In Advances In CryptologyCRYPTO '92, Volume 740 of Lectors Notes 
In Computer Science, pages 89-1 05. Berlin, 1 993. Sprlnger-Verlag.) should not leak Infomiation about the secret expo- 
nent, u. In fact, for one embodiment, a universally verifiable, multi-authority election protocol — the verifier will be 
Impl^ented via the Fiat-Shamir heuristic (A Fiat. A. Shamir. How to prove yourself: Practical solutions to idenfrfkjation 
and signature problems. Advances in Cryptology - CRYPTO '86, Lecture Notes in Computer Science, pp. 186-194. 
Springer-Verlag. New York. 1 987.). so in this case it is sufficient that the protocol be zero-knowledge against an honest 
verifier. (R. Cramer, R. Gennaro. B. Schoenmakers, A secure and optimally efficient multl-authortty election scheme. 
Advances In Cryptology - EUROCRYPT '97. Lecture Notes in Computer Science. Springer-Vertag. 1997.) Thus, the 
shuffle protocol Is also useful when the El Gamal cryptosystem is implemented over other groups such as elliptic curves. 
The general Boolean proof techniques of R. Cramer, I. Damgrd. B. Schoenmakers. Proofs of partial knowledge and 
simplified design of witness hiding protocols (Advances in Cryptology-CRYPTO '94, Lecture Notes in Computer Science, 
pp. 174-187, Springer-Verlag. Bertin, 1994.). can also be used to construct a proof with the same properties, however, 
the resulting proof size (complexity) is quadratic, or worse, in the size of the input sequence. 
[00061 The protocols or methods described below also offer several advantages over the cut-and-choose technique 
as used in K. Sako, J. Killan. Receipt-free mix-type voting scheme-A practical solution to the implementation of a voting 
booth. Advances \n Cryptology- EUROCRYPT '95, Lecture Notes In Computer Science. Sprlnger-Veriag, 1 995. In this 
appro'ach.thesizeof the proof is dependent on theprobabilltyofacheatlngproverthatlsrequlredtosatisfyailpartlcipants. 
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^ In the shuffle protocol described herein, this cheating probability is essentially Idq, where k\s the number of elements 

to be shuffled, and q is the size of the subgroup of Z* in which the elements are encrypted. Although no analysis of 

the proof size is done in the Sako paper, it appears that, in order to obtain similarly low cheating probability, it will 
need to be orders of magnitude larger than the size of the proof provided herein. (Moreover, if the K. Sako protocol is 
Implemented non-interactively, the cheating probability would need to be chosen exceedingly small, because a malfeious 
participant might use considerable off-line computation to generate a forged proof by exhaustive search. This of course, 

could be the case with the protocols described, but the probability Idq is. for all practical values of k and q, certainly small 
enough.) 

[0007] TTie advantage of the current scheme becomes even more apparent when seen in the context of the resulting 
universally verifiable election protocol. In K. Sako, each voter must interact sequentially with each "counting center* 
before actually casting his/her vote. On this account, it is unlikely that a useable implementation could be built for large 
scale, public sector elections in the near future. In contrast, protocols described below, put all authority participation 
(except, possibly, for the creation of basic election parameters) at the close of the election, purely for the purpose of 
tabulation. 

[0008] This nice property is also found in the elegant homomorphic election protocol in the paper by R. Cramer, R. 
Gennaro, and B. Schoenmakers. However, that protocol can only be applied to ballots whose questions are of a simple 
'choose {at most) m ofrf type. This effectively precludes *write-irf responses, as well as 'proportional typeT questions 
where the voter is expected to indicate answers in preferential order, and questions are tabulated in accordance with 
this preference. A couple of somewhat less important disadvantages of the R. Cramer. R. Gennaro, and B. Schoenmakers 
scheme are that it expands vote data size considerably, and that it requires a voter validity proof. This proof further 
expands the vote data size by about an order of magnitude, and Is unattractive from a practical perspective, because it 
presumes special purpose code to be running on the voter's computer. 

[0009] The protocol Is described below constructed entirely from a sequence of Chaum-Pedersen proofs, and ele- 
mentary arithmetic operations. It is thus simple to implement. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0010] 

Figure 1 is a block diagram Illustrating a suitable environment for Implementing embodiments of the Invention. 
Figure 2 is a schematic diagram illustrating a simple implementation of the shuffle protocol described herein as 
applied to a simple ballot with three voters and three shuffles. 

Figure 3 is a flow diagram illustrating a scaled iterative logarithmic multiplication proof protocol. 

Figure 4 is a flow diagram illustrating a simple shuffle protocol where the shuffler knows the encryption exponent. 

Figure 5 is a flow diagram illustrating a general shuffle protocol where the shuffler does not know the encryption 

exponents. 

Figure 6 is a flow diagram illustrating an anonymous certificate distribution routine. 

Figure 7 is a flow diagram illustrating an alternative embodiment to the anonymous certificate distribution routine of 
Figure 6. 

[001 1 1 In the drawings, identical reference numbers identify Identical or substantially similar elements or acts. To easily 
identify the discussion of any parttoular element or act, the most significant digit or digits in a reference number refer to 
the Figure number in which that element is first introduced (e.g., element 204 is first Introduced and discussed with 
respect to Figure 2). 

[0012] The headings provided herein are for convenience only and do not necessarily affect the scope or meaning of 
the claimed invention. 

DETAILED DESCRIPTION 

1. Overview 

[001 3] Described in detail below is a cryptographic protocol to verifiably shuffle a series of elements, such as an input 
sequence of public keys in discrete log fomn or k input EIGamal encryptions, that has applications in. e.g., a secure, 
universally verifiable, multi-authority election scheme. In the case of/cinput EIGamal encryptions, the output of the shuffle 
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operation Is another sequence of k EIGamal encryptions, each of which Is a re-encryption (i.e., an EIGannal pair which 
encrypts exactly the same clear text) of exactly one of the input encryptions, but the order of elennents in the output is 
kept secret. Though it Is a trivial matter for the 'shuffler (who chooses the permutation of the elements to be applied 
and the encryption keys used) to compute the output from the Input, the construction is important because it provides 
a linear size proof of con-ectness for the output sequerxie (/.e. , a proof that it is of the fonn claimed) that can be checked 
by an arbitrary verifier. The security of the proof protocol is the same as that of the Chaum-Pedersen protocol for the 
relation log^ = log^y, which is sufficient for the election applteation in which it is used. 

[0014] The following description provides speclfte details for a thorough understanding of, and enabling description 
for, embodiments of the Invention. However, one skilied in the art will understand that the invention may be practteed 
without these details. In other instances, well known structures and functions have not been shown or described In detail 
to avoid unnecessarily obscuring the description of the embodiments of the Invention. 

[0015] Much of the detailed description provided below Is explicitly disclosed In the provisional patent applications 
noted above; much of the additional material will be recognized by those skilled in the relevant art as being Inherent in 
the detailed description provided in such provisional patent applications, or well known to those skilled in the relevant 
art. Those skilled in the relevant art can implement aspects of the invention based on the detailed description provided 
in the provisional patent applteatlons. 

[0016] The mathematical notation used here is readily understandable to those skilled in the relevant art; however, 
for those unfamiliar with the art. the following defmitions and descriptions are provided. Such definitions, although brief, 
will help those generally unfamiliar with the art to more fully understand aspects of the invention based on the detailed 
description provided herein. Such definitions are further defined by the description of the Invention as a whole (Including 
the ciainrw), and not simply by such definitions. 

[0017] Figures 1-5. as well as the detailed description provided herein, describe protocols between a party {e.g., a 
voter) and a verifier (or between a proving party and a verifying party). The actions perfomned by the parties are grouped 
together into flow diagram boxes. I n general , each line of text or equations in a box describes a step, such as a computation, 
transmittal of information, or storage or retrieval function. Such flow diagrams are read line by line and box by box. 
[0018] The temn "party" as generally used herein, indicates an entity, and might be an agent who perfonms a step or 
a collection of steps under the protocol. It may also refer to a means or method for perfomning some or alt of the steps. 
Thus, some or all portions of the protocols may be perfomned under any suitable configuration of digital logic circuitry. 
For example, any or all steps under the protocol may be realized by not only a general purpose computer, such as a 
personal computer, but by a hard-wired or dedicated combinatorial logic device, or any sort of suitably programmed 
machine or microprocessor, so long as such devtee or machine perfonns the required processing steps, storage, input 
and output, and the like. 

[001 9] The symbol "e a" generally Indicates that a number or numbers on the left-hand side are chosen from a set on 
the right-hand side according to a probability distribution that Is substantially uniform and Independent (random). In 
practice, a physical random number generator can be used, possibly In conjunction with additional post-processing, or 
a deterministic pseudo-random number generator. Methods of generating random numbers are known by those skilled 
in the relevant art. 

[0020] The symbols "H" and respectively denote product and sum, which are Indexed. 

[0021] The symbol "Zp" denotes a set of numbers of Integers 0 through or ring of integers, modulo p. Addition 
and multiplication of elements in the ring Zp are defined modulo p. 

[0022] The symbol "€ " denotes that an element on the left-hand side is a member or element of a set on the right-hand 
side. 

[0023] The symbol " c " denotes that a set on the left-hand side is a subset of a set on the right-hand side, that is. 
that the set on the left-hand side Is contained in the set on the right-hand side. 

[0024] The angle brackets symbols (/. e., *( ) ") are paired symbols that generally indteate that the term or tenns 
between them denote a subgroup generated by a subset of a given group or ring of integers {e.g., the ring Zp), A subgroup 
is a subset of another group (or ring) that Is also a group under the same binary operation (e.g.. the integers are a 
subgroup of the real numbers under addition, but the integers modulo n are not a subgroup of these since the operations 
are differently defined. 

[0025] In the following, unless explicitly stated othenwise. n will be a positive integer, p and q will be prime integers, 
publicly known. Arithmetic operations are perfonned in the modular ring Zp (or occasionally 2„), and ge Zp will have 
(prime) multiplicative order q. (So, trivially, q l(p -1).) In each proof protocol, P will be the prover (shuffler) and VXhe 
verifier (auditor). 

[0026] One embodiment described below, employs a Zp (EIGamal) cryptosystem, although an elliptte curve crypto- 
system and cryptosystems under general groups may be used. Such cryptosystems employ public keys for asymmetrical 
cryptosystems. Public key systems employ so-called one-way functions and trap-door functions. A "one-way function" 
is a function that is relatively easy to calculate output therefrom but whose inverse functions are far more difffcult to 
compute. For example, power functions are such that they are easy to compute the product of a number of equal factors, 
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but the reverse operation of finding the root of a quantity, is more complicated. "Trap door" functions are similar to 
* one-way functions, but where the inverse functions are extremely difficult unless some additional infomnation is available. 
This additional infomnation is typically the "private Icey" held by a party, such as a voter. 

[0027] The below methods and protocols frequently use the Chaum-Pedersen proof of equality for discrete logarithms. 
' For g, X, h, Ye Zp this Is a proof of knowledge for the relation 



io&;r-io&,y (0 

[0028] It Is not known to bo zero-knowledge, however it is known to be zero-knowledge against an honest verifier, 
which is sufficient for our main application where the verifier is implemented via the Fiat-Shamir heuristic. 
[0029] "Zero-knowledge proofs" allow a voter or prover party to demonstrate knowledge of a secret while revealing 
no infomiation whatsoever of use to the verifier party in conveying this demonstration of knowledge. Only a single bit of 
Infomnation Is conveyed, namely that the prover party actually does know the secret. In other words, a voter and a 
verifying authority exchange messages, where the voter's objective is to convince the verifier the truth of an assertion, 
e.g., that the encrypted ballot is, or shuffled sequence of ballots or elements are, complete and correct, without revealing 
how the voter voted on each question in the ballot or how the series of elements were shuffled. U nder such zero-knowledge 
proofs, each voter or prover party effectively generates certain numbers that only a person having his or her own private 
key could generate. A verifier or authenticating party then confimns that each calculated number Indeed is generated 
under a known algorithm to thereby authentk:ate the voter and that his or her electronic ballot is complete and correct 
or "well-fomned" for all allowable choices and constraints, or that the series of elements have not been altered (besides 
being shuffled and encrypted). 

[0030] Definition 1 An instance of the Chaum-Pedersen proof, as above, will be denoted by 



[0031 ] Definition 2 For fixed S^^p be the binary operator or) <sf) x(g) denotes subgroup generated by a subset 
of a ring defined by 

log, (x = log, xlog.y 

tor all X. y€(fi(). Alternativety 

g*'®«8*=g''*=(g')*=(8'^'' 

for all a,beZg. Following the indexing conventions used for summations and multiplications, we also use the notation 



This operation as is referred to herein as logarithmic multiplication base g. 

[0032] In each of the notations in the preceding definition, the subscript g may be omitted when its value is clear from 
context. As generally used herein, "binary operator" refers to an operator defined on a set whteh takes two elements 
from the set as inputs and retums a single element. 

[0033] Remark 1 Notice that in the Chaum-Pedersen proof, if /? = g*, and the common logarithm is u = log^^ = logftV, 
then CP (g, X, h, V) is obviously also a proof of the relation / = h^gX- X^gh. 

[0034] Remark 2 The above proof is obviously zero-knowledge with respect to s, since the Prover need not have any 
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knowledge of this value in order to construct the proof. 

[0035] Note the following collection of well-known results since they will be heavily used in the remainder of the detailed 
description. 

[0036J Lennma 1 Let f{)^eZjixl be a polynomial of degree d. Then there are at most d values z,, ... ^z^eZ^ such 
thatm^O, 

[0037] Corollary 1 Let /(x), g(x) € Z^ [x] be fwo polynomials of degree at most d, with f^g. Then there are at most d 
values z^, ... ,z^^ Z^ such thatf(z) - g{z). 

[0038] Corollary 2 Let f(xh g(x) e [x] be two polynomials of degree at most d, with f^g. \fcef^Zg(c is selected 
at random from Z^, then the following probability holds: 

[0039] Lemma 2 Let Zj be the standard k-dimensional vector space overZ^ and fixv= (v„ ... , ... Vf^ e Z*, v^ 
O.lfr G/{Z* is chosen at random, then 

Pi{r : v r =0}) = - 

2. Proofs for Iterated Logarithmic Multiplication 

[0040] For the rest of this section, all logarithmic multiplications will be computed relative to a fixed element g. and 
hence we will omit the subscript in notation. The following problem is fundamental to the shuffle proofs which are to 
come later. 

[0041] Iterated Logarithmic Multiplication Problem: Two sequences {X^f^^^ and {yJjL, are publicly known. The 
Prover. P, also knows Uf = log^ X/and 1^/= log^ f or all /, but these are unknown to the verifier, V. Pis required to convince 
V^of the relation 

®jir,=0i^ (2) 

without revealing any infonmation about the secret logarithms t/, and V|. 

[0042] Intuitively, this problem is simple in light of Remark 1 . The Prover can constnjct two sequences of /cChaum-Ped- 

* t 

ersen proofs to convince Vol both the value of ®X and the value of ®K , and V^can then check that these two 

values are the same. If all the Xf and V/ are known to be random and independent, this might be acceptable for the 
purpose of keeping the U; and v,- secret and may be implemented under one embodiment of the invention, but it Is dear 

k 

that this protocol reveals some information that V^can not compute himself, namely the values of ® Jf^,® 1^. as well 

as the intermediate logarithmic multiplications. In order to strengthen the protocol, the depicted embodiment and method 
described in detail below introduces some randomness in order to ensure that it leaks no more infomnation than the 
underlying Chaum-Pedersen protocol. 
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Iterated Logarithmic Multiplication Proof: 
[0043] 

1. P secretly generates, randomly and independently, /c+1 values CZ, and reveals the exponentiated 
values g^. 

2. For each 1<.i^k, P secretly computes Wj^ rju/rf.^, and reveals W/= g^. ir^= w/Vf 

3. P sets Z/ = g^' and constructs the two Chaum-Pedersen proofs 



which he reveals to V^. These two Chaum-Pedersen proofs taken together cannot reveal any more infomnation about 
the secrets than the Information that is revealed from each of them taken separately. The key to seeing this Is 
Remark 2. The first proof is zero-knowledge with respect to r/r^. ^ though only honest verifier zero-knowledge with 
respect to u/r^^ . But the second proof Is zero-knowledge with respect to r/ , and t// since even the Prover need 
not know these values in order to generate the proof. Of course, one can gain some information about these values 
from the revealed value Z/, but only if some Infomnation is known about Vj. It is not known if this can happen with a 
dishonest verifier, but does not when the verifier is honest, and this is the case with embodiments and applications 
described below. 

Clearly the quotients r/r^, are ail unifonnly distributed and independent, so the values z,. themselves do not reveal 
any infonnation, by themselves, about the U/ and Vf. 

4, \^ checks that Z/ = ; " ' ' * j ;h Chaum-Pedersen nmof. 

5. finally evaluates Z = Ylt^ ^< ^"^ checks that = /J^. 

[0044] One can easily check that this protocol solves the iterated logarithmic multiplication problem by refenring to 
Remark 1 and by simply multiplying out the exponents. The probability of a forged proof is bounded above by the 
probability that one or more of the Chaum-Pedersen proofs have been forged. Each of these probabilities is Vq. Hence 
the overall probability of a forged proof is bounded above by 2k/q. 

[0045] For reasons that will become apparent later, the following variant of the Iterated logarithmic multiplication 
problem will actually be of more use to the method. 

[0046] Scaled Iterated Logarithmic Multiplication Problem: As in the original problem, two sequences {X^]]^^ 

and {Y^ }* , are publicly known. Uf = log^^ and = log^V,- for all / are known to P. but secret from V, In addition, a 
constant ce is known only to P, but a commitment of c, C = gf^ is made known to V^. Pis required to convince Vof 
the relation 

^x;=9Y, (5) 

without revealing any infomnation about the secret logarithms v), and c. 
Scaled Iterated Logarithmic Multiplication Proof; 

[0047] The proof requires only a minor variation to the original. The Chaum-Pedersen proof in 4 needs to be replaced 
by the similar proof 



EP 1 633 077 A2 



CPiYt,Ci,Wi.Zd (6) 



3. The Simple K^huffle 

[0048] The first shuffle proof we construct requires a restrictive set of conditions. It will be useful for two reasons. Rrst, 
it is a basic building block of the more general shuffle proof to come later. Fortuitously, it also serves a second important 
purpose. A single Instance of this proof can be constructed to effectively "commif a particular pemnutation. This can be 
Important when shuffles need to be perfomned on tuples of Zp elements, which is exactly what is required In the voting 
application. {A "tuple" refers to a sequence or ordered set For example, a 5-tuple or quintuple Is an ordered set of five 
elements, while a k-tuple refers to a finite ordered set with an unspecified number of members.) 
[0049J Simple k-Shuffle Problem: Two sequences of ^elements of Zp, X^, and Y^, ... , V^if are publicly known. 
The Prover, F, also knows Uf, = log^Xi and Vj =: \oggYj, but these are unknown to the verifier, V. In addition, a constant 
ce Zg\s known only to P, but a commitment of c, C=fif<?ismade known to V. Pis required to convince V^that there is 
some permutation, jc € with the property that 



for all 1 ^ / < /f without revealing any infomnation about n or the secret a The function n corresponds to a function for 
mapping a set of input elements to a penmuted set of output elements. 

[0050] Simple k-Shuff le Proof: The proof construction is almost trivial in light of the previous section and Corollary 2. 

1 . V generates a random t e and gives it to P as a challenge. 

2. P computes r= (also known VO and S= P=g^'. 

3. P generates the Chaum-Pedersen proof CP {g, C, T, S) and reveals this to V. 

4. P computes publicly (Le., checked by V) the values 1/, = VXiand Vi= SIY-^, Note: L/yand l/^are chosen thusly to 
be more in line with the notation in Corollary 2, In one embodiment, the method implements the protocol with 
X/Tand Vj = //S since divisions are computationally more expensive than multiplications. 

[0061] The Prover executes the scaled iterated logarithmic multiplication proof protocol for the sequences {C/^}* ^ 

and \yif^^^ and the commitment C. By checking the scaled logarithmic multiplication proofs on sequences U and V, 

the verifier ensures that the desired relationship between the initial input sequence of elements X and the sequence Y 
holds (based on Collorary 2). 

[0052] A forged proof can only be generated if either the scaled iterated logarithmic multiplication proof is forged, or 
the single proof of S= Fis forged, or, happens to choose cfrom the exceptional set in Corollary 2. Hence the overall 
probability of a forged proof is bounded above by [Zk + Further information regarding proofs provided under the 
shuffle protocols described herein may be found In the above-referenced U.S. Provisional Patent Applications. 
[0053] In general, the simple k-shuffle may be sufficient for some applications. To shuffle items, an Individual needs 
to employ a cryptographte transfonnation (e.g., exponentiation) where there is certainty that a series or sequence of 
output elements through Y|( were derived from an original or input sequence of elements through Xi^ based on 
constant cryptographic infonnation, without revealing which of the original X elements produced a resulting Y element 
Furthenmore, individuals wish to provide such shuffling without also having to employ a burdensome proof of validity, 
such as cut and choose type of validity proofs known in the prior art that require numerous iterations for a suffteient level 
of proof. Instead, a series of k independent Chaum-Pedersen proofs based on a secret exponentiation value c are 
employed, as described herein. 

4. The General K-Shuffle 

[0054] An obvious limitation of the simple ^-Shuffle protocol is that the shuffler, P, must know all the original exponents 
s^, ... , In many applications this will not be the case. The next step is to eliminate this restriction. 
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[0055] Genera! k-Shuffle Problem: Two sequences of ;f elements of Zp,Xi X;fand ... , VVare publicly known. 

In addition, a constant c e is known only to P, but a commitment of c, C = is made known to P is required to 
convince V^that there Is some pemiutation, k e with the property that 



for all 15/^ without revealing any information about n or the secret c. 

[0056] General k-Shuff le Proof: The proof is constructed from a simple k-shuffle that has been 'appropriately ran- 
domized" by the verifier, and an application of Lemma 2. 

1 . P generates a sequence (S)}* . C , randomly and independently and reveals the sequence f/, = • 

2. generates another sequence {C/}* j C Z^, randomly and independently, and gives this to Pas a challenge. 
a.Ppubliclysets Ui = g^Of^ and secretly sets W| =* i?). By requiringtheProvertoadd a value generated 
by the Verifier prevents the Prover from picking certain secrets (exponents) and othenwise helps ensure encryption 
robustness. ^ 

4. Pconstmcts a simple /c-shuffle on the sequence {C/|}^, , with another commitment D = flf^(dlfferent secret 

exponent), and inverse pemiutation, TT^ resulting in the sequence {J^}^ an^^^® corresponding proof 

as in the simple k-shuffle section, mecall that the V,- are public, but the V/are secret to P.) 

5. P publicly sets and = K/* , and reveals the Chaum-Pedersen proofs 



(9) 



cP(g,UuyHBd 



(10) 



Thus, the sequence of elements A and B correspond to the input sequence of elements X and Y. 
6. Publicly, the values 




(11) 



k 



B 



(12) 



are evaluated. 

7. P reveals the Chaum-Pedersen proof 



CP(D,A.C,B) 



(13) 



[0057] Steps 5-7 above effectively require the Prover to pin down the data to help ensure that the Prover has not 
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tampered with the original data. (These steps differ from the simple shuffle description above.) A forged proof can only 
be generated if either the simple ^-shuffle proof is forged, or one of the Chaum-Pedersen proofs is forged, or the tuple 
(Up... , Uff) is chosen from the exceptional set in Lemma 2. IHence the overall probability of forger/ is bounded above by 



(?i!j)^2*^^(5^ (14) 



10 



5. K-Shuffles of Tuples 

[0058] Those skilled in the relevant art will recognize that in the previous section, the choice of the simple shuffle 
15 essentially "froze" the pemnutation that could be proven. This mal<es it easy to see how to extend the previous section 
to shuffles of k tuples of elements of (g) . Thinking of a sequence of k t-tuples asakxl an-ay, a single simple /c-shuffle 
can serve to prove that all columns have been permuted according to the same permutation, but each row left unchanged. 
Thus, the k shuffle described above is perf omned / times, once for each column of the array of k elements (each of the 
k shuffles reuses the simple shuffle). In particular, this extends to tuples of ElGamal pairs. 

20 

6. The Voting Application 

[0059] Infonnation regarding registering voters, forming and distributing ballots, storing ballots, and conducting an 
election employing encrypted, electronic ballots, may be found in U.S. Patent Application Nos. 09/535,927, filed March 

25 24, 2000, entitled 'Multi-Way Election Method and Apparatus," 09/534,635. filed March 24, 2000, entitled "Electronic 
Voting Scheme Employing Permanent Ballot Storage,' 09/534,836, filed March 24, 2000, entitled "Method, Article and 
Apparatus for Registering Registrants, Such as Voter Registrants", 60/252,762, filed November 22, 2000, entitled "Elec- 
tion System," 60/270.182, filed February 20, 2001, entitled "Method and Apparatus for Detection and Correction of 
Compromised Ballots in Secret, Remote, Electronic Voting Systems," and 60/272,663, filed March 2, 2001 , entitled 

30 "Infomnatlon Theoretically Anonymous Signatures with Discrete Log Security." 

[0060] In one embodiment, votes are submitted as ElGamal pairs of the form (^,tf^^m), (or a sequence of these pairs 
if more data is required), where m is some standard encoding of the voter choices (described herein), the a^ are generated 
secretly by the voters, and h\sa public parameter constructed via a dealerless secret sharing scheme (see, e.g., T. 
Pedersen. A threshold cryptosystem without a trusted party. Advances in Cryptotogy - EUROCRYPT '91 , Lecture Notes 

35 in Computer Science, pp. 522-526, Springer-Verlag, 1 991 .). Once the polls are closed (voting finished), an independent 
collection of authorities sequentially shuffles the ballots. On output of the final shuffle, the final collection of encrypted 
ballots is decrypted in accordance with the threshold scheme, and the clear text votes are tabulated in full view by nomnal 
election rules. 

[0061] The authorities who participate in the sequential shuffles, may be arbitrary In number, and they may be com- 
^0 pletety different from those who hold shares of the election private key. The sequence of ballots which are finally decrypted 
can only be matched with the original sequence of submitted ballots if a// of the shuffling authorities collude, since each 
of their pemiutations is completely arbitrary. 

[0062] Each shuffle is performed by an individual authority as follows: 

4^ 1 . are chosen secretly, randomly and Independently. 

2. Each vote v,- = (^',/7"'m) is replaced, in sequence, by (g(°^^',^'*'P'm). A Chaum-Pedersen proof is published 
without revealing the secrets. 

3. A shuffle with secret exponent c is perfomned on the resulting encrypted votes. 

4. Steps 1-2 are repeated. 

50 5. At this point, the messages that are encrypted are the c-th power of the original messages. This is easily fixed 

by raising each coordinate of each vote to the 1/c power. A Chaum-Pedersen proof of this operation is equally easy 
to provide, thus keeping c secret while convincing verifiers, by simply reversing roles of g and C~ g^. 
Steps 1 and 2 above help randomize the input data to prohibit one from tampering with it such as selecting a 
relationship between ballots belore shuffling* The Chaum-Pedersen proof ensures the correctness of the additional 

55 value added for this randomizing. In an alternative embodiment, steps 1 and 2 may be, omitted (and step 4). 



in 
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7. Secure Megsage Encoding 

[0063] If p— 1 has small prime factors, some information about the encoded messages can be leaked. This is not a 
problem with the shuffle protocols, rather it is a problem for strongly encrypting the m,- in the first place. Whether or not 
this is significant enough to wony about depends on the expected value of the messages to be encoded. This problem 
can also be eliminated however, by taking special care )n the encoding. Each message can be projected onto a subgroup 
whose order contains only large prime factors. Since most embodiments described herein are restricted to the case 
where l(g)l is a prime, q, we will only discuss in detail the case p = -2(7 + 1. However, the more general case can be 
handled by an extension of these techniques. 
[0064] Suppose that the bit length o1 p-2q+^]sb, that is 



2^<p<2' 

so 

t'^<.(p-\)l2^q<f^ (15) 

[0065] We require that all messages m be of bit length at most d-2. Rather than encrypting each message as 
tP-m) as is standard, we encrypt it as 



This means that ail messages are encoded with the same trivial projection on the order 2 subgroup of . Equation 
15 guarantees that the map m -> is invertible on the domain of definition. To invert, simply take the unique square 

root which Is less than (p-1 )/2. Thus it is a simple matter to recover the original message, m, once the actual message, 
m^, has been decrypted. 

8. Suitable System 

[0066] Rgure 1 and the following discussion provide a brief, general description of a suitable computing environment 
in which aspects of the invention can be implemented. Although not required, embodiments of the invention will be 
described in the general context of computer-executable instructions, such as routines executed by a general-purpose 
computer, such as a personal computer or web sen/er. Those skilled in the relevant art will appreciate that aspects of 
the Invention (such as small elections) can be practiced with other computer system configurations, including Internet 
appliances, hand-held devices, wearable computers, personal digital assistants ("PDAs"), multiprocessor systems, mi- 
croprocessor-based or programmable consumerelectronics, network PCs, mini computers, cell ormobile phones, set-top 
boxes, mainframe computers, and the like. Aspects of the invention can be embodied in a special purpose computer or 
data processor that is specifically programmed, configured or constmcted to perfonn one or more of the computer-ex- 
ecutable instructions explained herein. Indeed, the terni "computer," as generally used herein, refers to any of the above 
devices, as well as any data processor. 

[0067] The invention can also be practiced in distributed computing environments where tasks or modules are per- 
fomned by remote processing devices, which are linked through a communications network, such as a Local Area Network 
(LAN), Wide Area Network (WAN), orthe Internet. In a distributed computing environment, program modules orsub-rou- 
tines may be located In both local and remote memory storage devices. The invention described herein may be stored 
or distributed on computer-readable media, including magnetic and optically readable and removable computer disks, 
stored as fimnware In chips, as well as distributed electronically over the Internet or other networks (including wireless 
networks). Those skilled in the relevant art will recognize that portions of the protocols described herein may reside on 
a server computer, while corresponding portions reside on client computers. Data stmctures and transmission of data 
particular to such protocols are also encompassed within the scope of the invention. 

[0068] Unless described otherwise, the construction and operation of the various blocks shown In Figure 1 are of 
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conventional design. As a result, such blocks need not be described in further detail herein, as they will be readily 
understood by those skilled in the relevant art. 

[00691 Refemng to Figure 1 , a suitable environnnent of system 1 00 includes one or more voter or client computers 
102, each of whteh includes a browser program module 104 that permits the computer to access and exchange data 
with the Internet, including web sites within the World Wide Web portion 106 of the Intemet. The voter computers 1 02 
may include one or more central processing units or other logte processing circuitry, memory, input devices (e.g.. key- 
boards, microphones, touch screens, and pointing devices), output devices {e.g., display devices, audio speakers and 
printers), and storage devtees (e.g.. fixed, floppy, and optical disk drives), all well known but not shown in Rgure 1 . The 
voter computers 1 02 may also include other program modules, such as an operating system, one or more applteatlon 
programs {e.g., word processing or spread sheet applications), and the like. As shown in Rgure 1 . there are N number 
of voter computers 1 02, representing voters 1 , 2, 3 ... /V. 

[0070] A server computer system 1 08 or "vote collection center." coupled to the Intemet or World Wide Web ("Web") 
106, performs much or all of the ballot collection, storing and other processes. A database 110, coupled to the server 
computer 1 08, stores much of the web pages and data (including ballots and shuffle validity proofs) exchanged between 
the voter computers 1 02. one or more voting poll computers 11 2 and the server computer 1 08. The voting poll computer 
1 1 2 is a personal computer, server computer, mini-computer, or the like, positioned at a public voting location to pemriit 
members of the public, or voters who may not have ready access to computerscoupled to the Internet 1 06, to electronically 
vote under the system described herein. Thus, the voter computers 1 02 may be positioned at individual voter's homes, 
where one or more voting poll computers 1 1 2 are located publicly or otherwise accessible to voters in a public election. 
The voting poll computer 1 12 may Include a local area network (LAN) having one server computer and several client 
computers or voter terminals coupled thereto via the LAN to thereby pernnit several voters to vote simultaneously or in 
parallel. 

[0071 1 The voting poll computer may also include an Button reader for reading Buttons, such as cryptographic /Buttons 
provided by Dallas Semiconductor Corp. An /Button is a 1 6 mm computer chip amnored in a stainless steel can that may 
include a microprocessor for high-speed arlthmette computations necessary to encrypt and decrypt information, such 
as signatures of voters who have registered. Further information may be found at http'Jivmw. ibutton.com. Of course, 
other data storage devices besides /Buttons may be employed, such as computer readable media described herein, 
radio frequency identification (RFID) tags, one or two dimensional bar codes or other data collection devices, and 
associated readers for these. 

[0072] Under an alternative embodiment, the system 100 may be used in the context of a private election, such as 
the election of corporate officers or board members. Under this embodiment, the voter computers 102 may be laptops 
or desktop computers of shareholders, and the voting poll computer 1 1 2 can be one or more computers positioned within 
the company (e.^.. In the lobby) perfomiing the election. Thus, shareholders may visit the company to access the voting 
poll computer 1 1 2 to cast their votes. 

[0073] One or more authority or organization computers 1 1 4 are also coupled to the server computer system 1 08 via 
the Internet 1 06. The authority computers 1 14 each hold a key necessary to decrypt the electronic ballots stored In the 
database 1 1 0. Threshold cryptographic systems require that a subset t of the total number of authorities n (/. e., t<n) 
agree to decrypt the ballots, to thereby avoid the requirement that all authorities are needed for ballot decryption. In 
other words, the objective of a threshold cryptosystem Is to share a private key. s, among n members of a group such 
that messages can be decrypted when a substantial subset, 7. cooperate - a (f, n) threshold cryptosystem. Protocols 
are defined to (1) generate keys jointly among the group, and (2) decrypt messages without reconstructing the private 
key. The authority computers 1 1 4 may provide their decryption share to the server computer system 1 08 after the voting 
period ends so that the server computer system may decrypt the ballots and tally the results. 

[0074] Furthennore. under the depicted embodiment, each of the authority computers perform one shuffle of the 
ballots, as described herein. In conjunction with each shuffle, each authority computer generates a shuffle validity proof, 
which may be encrypted and fonwarded to the server computer 1 08. or stored locally by the authority computer. In an 
altemative embodiment, an additional set of authority computers are provided, where one set of authority computers 
shuffle the encrypted ballots and generate shuffle validity proofs, while the second set of authority computers employ 
keys shares for decrypting the ballots. 

[0075] One or more optional verifier computers 1 30 may also be provided, similar to the authority computers 1 1 4. The 
verifier computers may receive election transcripts to verify that the election has not been compromised. For example, 
the verifier computers may receive the shuffle validity proofs from each of the authority computers, as described herein. 
The verifier computers may perfonn verifications after the election, and need not be connected to the Intemet. Indeed, 
the verifications may be performed by other computers shown or described herein. 

[0076] The server, verifier or authority computers may perform voter registration protocols, or separate registration 
computers may be provided (not shown). The registration computers may include blometric readers for reading biometrlc 
data of registrants, such as fingerprint data, voice fingerprint data, digital ptoture comparison, and other techniques 
known by those skilled in the relevant art. Voter registration and Issuing anonymous certificates for use with verifiable 



EP 1 633 077 A2 



shuffles is described below. 

[0077] The server computer 108 includes a server engine 120, a web page management component 122, a database 
management component 1 24, as well as other components not shown. The server engine 1 20 perfomis, in addition to 
standard functionality, portions of the electronic voting protocol. The encryption protocol may be stored on the server 
computer, and portions of such protocol also stored on the client computers, together with appn^priate constants. Indeed, 
the above protocol may be stored and distributed on computer readable media, including magnetic and optically readable 
and removable computer disks, microcode stored on semiconductor chips (e.g., EEPROM), as well as distributed elec- 
tronically over the Internet or other networks. Those skilled in the relevant art will recognize that portions of the protocol 
reside on the server computer, while con-espondlng portions reside on the client computer. Data structures and trans- 
mission of data particular to the above protocol are also encompassed within the present invention. Thus, the server 
engine 120 may perform all necessary ballot transmission to authorized voters, ballot collection, verifying ballots (e.g., 
checking digital signatures and passing verification of Included proofs of validity In ballots), vote aggregation, ballot 
decryption and/or vote tabulation. Under an altematlve embodiment, the server engine 120 simply collects all electronic 
ballots as a data collection center. The electronic ballots are then stored and provided to a third party organization 
conducting the election, such as a municipality, together with tools to shuffle ballots, decrypt the tally and produce election 
results. Likewise, election audit infomriation, such as shuffle validity proofs and the tike may be stored locally or provided 
to a municipality or other organization. 

[0078] The web page component 122 handles creation and display or routing of web pages such as an electronic 
ballot box web page, as described below. Voters and users may access the server computer 108 by means of a URL 
associated therewith, such as http:\\www. votehere.net, or a URL associated with the election, such as a URL for a 
municipalfty. The munfcipality may host or operate the server computer system 108 directly, or automatically forward 
such received electronic ballots to a third party vote authorizer who may operate the sewer computer system. The U RL, 
or any link or address noted herein, can be any resource locator. 

[0079] The web page management process 122 and server computer 108 may have secure sections or pages that 
may only be accessed by authorized people, such as authorized voters or system administrators. The server computer 
108 may employ a secure socket layer ("SSL") and tokens or cookies to authenticate such users. Indeed, for small 
elections, or those where the probability of fraud is low (or results of fraud are relatively inconsequential), the system 
1 00 may employ such simple network security measures for gathering and storing votes as explained below, rather than 
employing complex electronic encrypted ballots, as described in the above-noted patent application. Methods of au- 
thenticating users (such as through the use of passwords), establishing secure transmission connections, and providing 
secure servers and web pages are known to those skilled in the relevant art. 

[0080] The election scheme and system uses a "bulletin board* where each posting Is digitaify signed and nothing 
can be erased. See papers by K. Sake, J. Kllian, R. and Cramer, R. Gennaro, B. Schoenmakers. The bulletin board is 
implemented as a web server. The 'ballot box" resides on the bulletin board and holds all of the encrypted ballots. 
Erasing can be prevented by writing the web server data to a write-once, read-many (WORM) pemanent storage medium 
or similar device. Further details on such a bulletin board system are found in U.S. Patent Application No. 09/534,836, 
entitled "Electronic Voting Scheme Employing Permanent Ballot Storage." 

[0081] Note that while one embodiment of the invention is described herein as employing the Intemet to connect 
computers, other alternative embodiments are possible. For example, aspects of the Invention may be employed by 
stand alone computers. Aspects of the Invention may also be employed by any Interconnected data processing machines. 
Rather than employing a browser, such machines may employ client software for Implementing aspects of the methods 
or protocols described herein. 

9, Election Example 

[0082] One application of the general ^c-shuffle protocol Is in the area of electronks voting. In order to make an election 
universally verifiable, submitted ballots must Initially be irrefutably con nectable to a valid (/. e., registered) voter. Somehow 
ballots must be "separated from their signatures" by a verifiable process - /.e., one that does not allow phony ballots to 
be substituted in the separation process • before they can be "opened". 

[0083] The protocol we present here relies on a set of A/ "tabulation authorities" with differing interests in the election 
results. 

1 . The protocol is a threshold scheme in that at least t authorities must behave honestly In order for tabulation to 
be completed. (The parameter t can be chosen In advance of the election to be any value 1 ^ N.) Thus, in 
particular, it is notnecessarythatthe authorities completetheirshuffles in any particular order, nor is it even necessary 
(except in the special case t = N) that all the authorities participate. 

2. Even if a// the authorities conspire, they cannot produce false election results without being caught by an external 
auditor who wishes to verify the results 
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3. Privacy of an Individual vote can only be compromised by a conspiracy of at least f of the authorities to do so. 
[0084] The protocol proceeds as follows: 
First: Initialize Election 
[0085] 

1 . The authorities first agree on the election parameters: 

(a) Parameters necessary for any election, including: the set of eligible voters, the ballot questions, the ballot 
answers, the ballot style, the time the polls are to be opened and closed, etc, 

(b) The collection of tabulation authorities: /.e., themselves, (We henceforth use A/ to denote the number of 
authorities in this group.) 

(c) The threshold parameter, t 

(d) A shuffle parameter, 1 ^ f. (s=: f is a natural choice.) 

(e) A group G and a subgroup generator, ge G,[\r\ order to achieve secure encryption, the prime factors of Igi 
should be large, however, this requirement is. of course, open to Interpretation by the authorities themselves.) 

(f) A standard "bit encoding* for response(s) (e.g.. ASCII) and a small "message multiplicity" integer 1. The 
message multiplicity refers an agreed upon subdivision of each ballot, and con*esponds to ballot fomnatting 
(similar to the layout of a paper ballot to indicate where responses to each ballot question are to be located), d 
is typically chosen as small as possible to accommodate the ballot response size. Most often, d = 1 will work, 
because the message multiplicity Is detemnined by the key length, and because a sufficiently large key length 
[e.g., 1024 bits) can accommodate most ballots having a reasonable number of questions. 

(g) A group element h e which is created by way of an (W, f) - secret sharing scheme executed by the 
authorities. (See, T, Pedersen article. 

2. Once agreement is reached on the election parameters, the authorities all "sign" them, and some representation 
of this signed set of parameters becomes the signed ballot 

Second: Vote 

[0086] 

1 . During the election {/.e., while "polls are open"), each voter V, encodes his response{s) by the election standard 
"bit encoding" (agreed upon and signed by the authorities during election initialization - see above) into a sequence 
of messages, Mf,.,., m^ e G. (More on this in section below.) The "message multiplicity," d is another election 
parameter (see above). 

2. V selects exponents a^-.-.a^ independently at random from 0 <ay < Igl for the encryption. 

3. V returns to the ballot collection center, the encrypted response sequence 

(g'^.h'^n^') (g^.h^^ml) (16) 

along with an "attached" digital signature, created by V, to authenticate the response by tying it to a particular eligible 
voter. 

4. If the digital signature submitted by U verifies and V^has not previously been issued a ballot, then V^is Issued a 
receipt, signed by the central collection agency. This receipt acknowledges that a baltot from this voter, in this 
particular election, has been received, but includes no infonriation (not even encrypted or hashed information) about 
the contents of the ballot The receipt may also be broadcast to the voter. The receipt also serves to confimi that 
the voter's ballot was not lost and not maliciously deleted. 
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Third: Tabulate Results 
[0087J 

1 . At the start, the collection of voter responses are laid out in 2d sequences, each of length N^asp where A/^^^ is 
the total number of ballot responses received. Each sequence corresponds to a coordinate in the standard ballot 
response fonmat (equation 26). The entries in each sequence are ordered by voter. The index assigned to each 
voter is not important, just so long as the indices are consistent. This way, an external observer can check that the 
signed ballots have been transfomned in a very simple way, and that, applying the right interpretation to the data 
layout, it still represents the same set of responses that were signed and received. 

2. In any convenient order, a sequence of s authorities each execute the following steps: 

(a) Let S be the authority cun-ently in sequence. 

(b) S selects independently at random dA/^^^ exponents 



(c) S calculates the group elements (/, t) = ^Pv^ and h^(J,f) = tfii^ . Further, an intemnediate Chaum-Pedersen 
proof is generated on (g, (/, /), h, hsij, Z))- 

(d) S then transfomris the 2d input sequences into 2d intermediate sequences. The /-th entry of the /-th input 
sequence of the form fl!* m is transfonned by multiplying it by g^ (/, /) and the y-th entry of the /-th input sequence 
of the f onn tfim is transfonned by multiplying it by (j, /). The transformed entries are ail kept in the same order. 

(e) S chooses a random exponent 0 5 c < Igl, and a random pennutation n\ e ^weas^ commits - flf^. 

(f) Sthen executes a general k-shuffle (with k= N^ast) each of the 2c/ intennediate sequences, using the 
secret parameters c and , and reuslng\jr\e same simple k-shuffle as the basis for each general /c-shuffle. (This 
ensures that each of the 2cy sequences are subjected to the same secret "permutation",) 

(g) (i) S repeats step (d) with new random p's. 

(ii) raising each coordinate of each vote to the 1/c power and providing a Chaum-Pedersen proof of this 
operation, thus keeping c secret while convincing verifiers, by simply reversing roles of g and C= g^, 

(h) (Note that S need not explicitly compute the intemnediate sequences at this stage. They are necessary for 
external verification later, but the output can be computed directly and the intemnediate sequences constructed 
on request of an auditor. However, security concems may dictate that the auditor perfonm the verifications before 
beginning the next shuffle.) 

3. Shuffled ballots are now reconstmcted by combining entries of each of the 2d sequences in the same way they 
were fonned. 

4. Finally, f authorities execute the threshold decryption protocol on each shuffled ballot. 

[0088] In general, the tabulation phase includes two subphases. First, a set of T£ f of the tabulation authorities each 
execute, in sequence, a verifiable k x d shuffle (where /c Is the total number of ballots cast). The output sequence and 
proofs from each shuffle is signed and passed to the next tabulation authority. (Each tabulation authority executes its 
shuffle only if the input passes both a signature check and a check of the (previous) shuffle zero-knowledge proof ("ZKP") 
and the intermediate Chaum-Pedersen proofs.) Second, once the full round of shuffles have been executed and verified, 
a set of f tabulation authorities use their secret key shares to Jointly (and verifiably) compute a decryption of each 
In the final set of EIQamal pairs. 

[0089] In general, each shuffling authority will know the input-output correspondence, since it is responsible for gen- 
erating the pemnutation in the first place. However, shuffles are staged. Thus the output of one shuffle Is used as the 
input to another shuffle perfomied by a different shuffling authority. Thus, unless all authorities conspire, no one shuffling 
authority will have any knowledge of the correspondence between initial Input and final output. As described below, 
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however, a further enhancement eliminates this possibility. 
Fourth: Externally Verify Election 
5 [0090] On request, each authority publishes 

(a) His intennedlate sequences. 

(b) Chaum-Pedersen proofs P(g, g^Q, /). ^ /)) for 1 ^ y S N^^ and 1 5 / $ d. 

(c) His ^-shuffle proof. 

(d) The Chaum-Pedersen proofs under step (g) above. 

t5 [0091] In general, an election transcript may be published that contains the following: 

1 . The voter roll containing voter identification Infonnation and voter public keys. 

2. The original set of ^ voter-signed ballots. 

20 

3. The f /c X d shuffles (including proofs, as noted above. 

4. The final share decryption validity proofs. 
25 5. The final tallies. 

[0092] Remark: Several variations on the order in which the authorities execute their tabulation steps (Tabulation 
steps 2 (a) - (h) above) are possible. In particular, the steps can be interleaved under altemative embodiments. 
[0093] Remark: The External Verification phase can be carried out as tabulation is going on, or at a later time. The 

30 authorities need only save their stage parameters. 

[0094] Refen-lng to Figure 2. a schematic diagram illustrates a basic application of the shuffle protocol to an election, 
shown as a method 200. In block 202, three encrypted ballots are submitted, one each for voters Joe Smith, Sally Jones, 
and Ian Kelleigh. in block 204, the list or roll of voters Is separated from the encrypted ballots, which are shown in block 
206, Thereafter, a one-way reencryption of the ballots is perfomnod to produce a shuffled set of ballots, shown In block 

35 208. A shuffle validity proof is generated based on this first shuffle, shown in block 210. The shuffle validity proof allows 
a third party to ensure that alt input data (the ballots) had the same operation applied to them, and that no altering of 
the ballots had been perfomied. 

[0095] A second shuffle of the (previously shuffled) ballots is perfomned, to generate a second shuffled set of ballots, 
shown as block 212. Again, a shuffle validity proof is generated, shown in block 214. The shuffled ballots of block 212 

40 are shuffled a third time, to produce a final shuffled set of ballots under block 21 6. A third validity proof 21 8 is likewise 
generated based on the third shuffle. In sum, a three-by-three shuffle array is provided under this example. Following, 
the shuffling, the ballots are decrypted to produce a tally, shown as block 220. A third party may verify that the election 
by analyzing, among otherthings, each shuffle validity proof to ensure that each shuffler has preserved election integrity. 
[0096] The shuffle protocol is presented above as effectively separate subroutines that may be employed for various 

45 applications, such as in a electronic voting scheme. A first subroutine provides the functionality of scaled, iterated, 
logarithmic multiplication proofs between a prover and a verifier. A second subroutine provides the functionality of a 
simple shuffle protocol and employs the scaled, iterated, logarithmic multiplication proofs. Thereafter, a third subroutine 
Implements general shuffle functionality, where the shuffler does not know the exponents, building upon the second 
subroutine of the simple shuffle. A fourth subroutine extends the third subroutine to shuffling /c tuples of elements. 

50 [0097] Refen-ing to Rgure 3. a routine 300 is shown for implementing scaled, iterated, logarithmic multiplication proofs. 
In block 302, initial cryptographic parameters are agreed upon, such as by a voting organization. These Initial parameters 
include the group (e.g., Zp), a subgroup operator g, the size of the group G, and the size of the generated subgroups p 
and q. This information may be provided to a number n of shuffler or authority computers 1 1 4 and verifier computers 1 30. 
[0098] In block 304, the shuffler (or Prover P) selects a secret exponent c, and based on the subgroup generator g 

55 generates C. Additionally, the shuffler may receh^e or generate / values for received X's and. for Indexes of / for 1 
through K, and provides the X's. Y's, and C to the verifier. 

[0099] In block 304. the shuffler also secretly generates random exponents as which, based on the subgroup 
generator g, are used to generate values ff/for each value of / of 0 through i<. Slmilariy, under block 304, the shuffler 
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employs the generated random exponent to generate and Z/. 

[0100] In block 306, the shuffler provides Chaum-Pedersen proofs for each element 1 through for the values of 
X/, R'p Wf, and C. W^, Zj, These values for the Chaum-Pedersen proofs are then provided to the verifier, together with 
values Zj and % verifier then. In block 308, verifies the con^ectness of the proof data to accept or reject the proof. 
In other words, the verifier checks that each z, as an exponent to the subgroup generator g, generates a corresponding 
Z. checks each Chaum-Pedersen proof, checks that the product of the z/s Is equal to z, and that the value Rq raised to 
the power z Is equal to R^. 

[0101] Refening to Rgure 4, a routine 400 is shown for performing a simple shuffle protocol, as described above. 
Following block 302, the block 404 is similar to block 304, but the shuffler shuffles the X elements by a pennutatlon n 
to generate the /elements. The verifier in block 408 generates a random value fas a challenge. In response, the shuffler 
in block 408 uses fas an exponent to the subgroup generator g to secretly generate the value 7, which, when combined 
with the shuffler's secret exponent c, permits the shuffler to secretly generates a value S. As shown, the shuffler then 
publicly generates values L/and \/and provides a Chaum-Pedersen proof for (g, C, f, S) under block 410. In block 410. 
the shuffler also generates proof data as scaled iterated logarithmic multiplication proof for each of the elements Xand 
/ in the series of / of 1 through k. The proof data is then provided to the verifier In block 41 2, The verifier verifies the 
correctness of the proof data and accepts or rejects it In other words, the verifier executes the scaled Iterated logarithmic 
multiplication proof protocol noted above for the sequences of U and V, and checks the commitment value C. 

[0102] Referring to Figure 5, a general shuffle protocol 500 is shown where the shuffler does not know the exponents. 
The initial steps in the protocol 500 are similar to that of 400, except that the verifier adds a randomizing element to the 
shuffler's secret exponents. As shown in block 502, the shuffler secretly generates a random sequence of initial values, 

whteh are used as exponents with the subgroup generator g to generate an initial sequence (£7| = g^' )• Likewise, in 

block 504, the verifier secretly generates another sequence of elements e for values / of 1 through k, and provides the 
sequence to the shuffler as a challenge. In block 506, the shuffler secretly adds the sequence challenge ©to the previous 

sequence, to then publicly generates a series of values U (Ui= g^U^ ). 

[0103] In block 508, the shuffler constructs a simple k shuffle on the sequence U with another secretly generated 
commitment D (that employs a different secret exponent d chosen by the shuffler) and generates a sequence of values 
V, Then publicly, the shuffler reveals Chaum-Pedersen proofs for a sequence of values A and Sfor Indexes 1 through 
k, publicly generates the product of the sequences as values A and B, and provides a Chaum-Pedersen proof for the 
relation between D, A. C and B, as shown. Under block 510, this proof data is provided to the verifier, who verifies it 
under block 51 2. 

10. Issuing Anonymous Certificates With Veriflabte Shuffles 

[0104] Presented above is a new, effteient construction for verifiably shuffling encrypted data, and a particular way 
that this construction can be used to conduct a universally verifiable electronic election system. That system depends 
on a collection of election authorities to "shuffle," or "anonymize" the ballot data that has been collected at vote time. 
This process takes place after all votes have been cast, but before ballots are decrypted and tabulated. The validity 
construction prevents any one or more of the election authorities from making any changes to the original election data 
without being discovered by anyone auditing the final election transcript 

[0105] A disadvantage with this approach is that voter anonymity is not protected by as strong a mechanism as is 
election integrity. Election integrity is protected by pure computational intractibility-it is essentially impossible for the 
election authorities to produce false election results without detection— even // they all act in collusion. However, by 
acting in collusion, they are able to determine the contents of any individual voter's ballot with relative ease. 
[0106] The same underiying shuffle constmction can be used to construct a new election protocol that eliminates this 
weakness. The idea is to move the shuffling to the registration, or ballot request phase of the election, thereby anonymizing 
the Identities of the voters without losing strict control, and audit of election eligibility rules— /,e., only ballots cast by 
registered voters should be counted, and multiple ballots from the same voter should not be accepted. With this accom- 
plished, it is no longer even necessary to encrypt ballots, and tabulation can be perfomned "in the clear"— which Is 
obviously an easy process to audit. 

[0107] The idea of using the constmction as part of an anonymous registration process has applications beyond 
voting. Any situation where access to a resource, such as a server or file, needs to be limited to authorized personnel, 
but where those who are authorized wish to protect their individual identity, may use this construction to meet both 
requirements simultaneously. For example, applications of group signatures may be equally applteable to the protocols 
described herein. Note also that the term "voter* is generally used herein to refer to any individual or organization that 
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employs some or all of the protocols described herein. 
Outline of the Protocols 

(0108) Two protocol variants are provided, both of which follow the same high level flow of information. Each protocol 
begins with the assumption that a set of public keys has been stored in some central authentication database, or certificate 
server. Each corresponding private key is known by one, and only one. eligible voter. Furthermore, the con^espondence 
between public key and individual voter is known by the entity, or entities, who control the certificate server. (The exact 
form of these public/private key pairs are slightly different in each variant of the protocol.) In practice, the public keys 
will likely be wrapped in the fomri of a digital certificate which ties all identifying information together with the public key 
in a single piece of formatted data. (This is the convention followed by widely accepted Public Key Infrastmctures, or 
PKI's.) 

[01 09] Typically, this distribution of keys and certif teates will be accomplished by a tightly controlled registration process, 
the most secure of which would be an ""in person" registration process where the voters can be physically identified at 
the time of certificate generation. (Such registration processes are described in detail In U.S. Patent Application No. 
09/534.836 noted above.) It is important to distinguish between two different types of certificates that exist in the protocols. 
The first type are the certificates just described, where the association between public key and individual person is 
publicly, or at least widely known {''standard certificated). The second type are the certifteates that will be distributed in 
the stages of the protocol that follow the Initial registration phase just described {"anonymous certificates'). These 
anonymous certificates are distinguishable from each other, at very least by the fact that they contain different publte 
keys, however, the only individual who knows the owner of a given anonymous certificate Is the owner himself. It is the 
goal of the protocol to guarantee that 

• Only individuals who own one of the standard certificates are issued an anonymous certificate. 

In most applications, such as the voting applteation. it is also the goal of the protocol to guarantee that 

• Each individual is Issued only as many anonymous certificates as he/she has standard certlffcates. (Usually, each 
owner of a standard certificate will have only one standard certlfteate.) 

[0110] Once the registration of standard certificates is complete, the protocol variants each proceed as follows. 
[01 1 1 ] Initialization: A set. K, of raw public keys is constructed at the certificate server {e.g., server 1 08), and Initially 
set to be the set of public keys associated with the set of standard certificates. The set of public keys is generated during 
the Initial registration process of each individual, when that individual registers and receives, for example, a standard 
digital certificate. The public keys generated under the initial registration process are pooled together to generate the 
set K. Each individual holds a private key associated with one of the public keys in the set K. 

1 . An individual. P, contacts the certificate server. S, through a digital communication channel (such as the Intemet) 
indicating that he wishes to obtain an anonymous certificate. 

2. S returns to P a set. H c K , of public keys (which includes S's public key), and stores the set J = K— H . (Ideally. 
H= /Cand J=: 0. but for reasons of communication bandwidth, the inclusion may be proper. For example, a subset 
of the publte keys Kmay be provided to the Individual P where the set of public keys is quite large, and bandwidth 
constraints for transmission effectively limit transmission of such a large set of keys. For other reasons, the certificate 
server may wish to return only a subset of the public keys.) 

3. P selects a subset McH, which may be all of H. and sets 

4. P computes H' which is a shufle transfonvation of M. (See above and the following sections.) Palso generates 
a formatted anonymous certificate request This is done by generating a random public/private key pair, and for- 
matting the public part with some 'random ID" data to conform to a specified certificate format. (Needless to say. P 
must also store the private part in some safe place.) 

5. P retums H\ M and Mto S along with 

(a) The st)uffte transcript, or validity proof, whict) proves to S. or any auditor, tiiat H' is, in fact, a valid shuffle 
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transformation of M. 

(b) A proof that P knows the private key corresponding to a particular element, he H\ 

(c) The formatted certificate request, 

6. S checks that H~Mkj Af' along with the validity of both 5a and 5b. 

(a) If any of the checks fall, S indicates failure to P and either terminates the communication with P, or gives 
P an appropriate chance to retry. 

(b) ift>oth checks pass, then 

1. Ifanonymouscertificatesareintendedtobeissuedontyoncetoeach owner of a standard certificate, Ssets 

(17) 



K=JuM'uH*' (18) 



or, if, for some reason, it Is desired to issue anonymous certificates multiple times to each owner of a 
standard certificate, S sets 



K^JkjM'kjW (19) 

//. And, S digitally signs the formatted certificate request— 4hereby creating an anonymous certtficate^e- 
turns the (signed) certificate to P, and stores the certificate in the data base for later anonymous authen- 
tication, 

7. The process now continues from the beginning with a new P, and /< appropriately modified. 

[0112] In other words, the Individual Pmay prove to the certificate server S that the Individual holds a private key 
associated with one of the publte keys in the subset Mselecled by the individual, without revealing which one by shuffling 
the subset /If of publte Keys. After Issuing an anonymous certificate, the certification server then removes the one shuffled 
public key from the shuffled set of public keys for use by the next individual requesting an anonymous certificate. 

Anonymous Authentication and Signatures 

[01 1 3J The basic construction of the shuffle protocol above solves the following problem. 

[0114] General k-Shuffle Problem: Two sequences of /(elements of Zp,S= pCv-..,X^,and 7= fyi,...,vyarepubltely 
known. In addition, a constant ce is known only to P, but a commitment of c, C= made known to V. Pis required 
to convince l^that there is some pennutation, tt € Z^^ , with the property that 



^(0=^; (20) 

for all 1 < / ^ /r without revealing any infonnatlon about n or the secret c, 

[0115] In the shuffle protocol above the solution to this problem is first presented as an interactive proof protocol 
executed by P and V, but it is made non-interactive by standard application of the Rat-Shamir heuristic. We denote the 
resulting verification transcript, produced by the shuffler, P, by 7 (S, T, g, C). 
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Anonymous Authentication Protocol 1 

[01 1 6] In this variant of the protocol 

• The public keys are elements /j €<g> c Zp, and the conresponding private keys are simply the secret exponents, s 

• The set H must always be taken to be all of K, Le. H^K. 

• The set M must also always be all of H, i.e. M = H and M' = 0. 

• S must store one additional modular integer, G e <g>, which will be modified during each authentication session. At 
initialization, G is set equal to g. 

[01 17] The protocol proceeds as described in the previous section, with the following modlfteatlons. 

1 . In step 2, S must also return G to P. 

2. The transcript that is retumed to P in step 5a is exactly 

T{MM\GX)^T(HM\GX) (21) 

3. The proof of private key knowledge in step 5b, is exactly the integer e = cs e Z^, along with the particular value 
/?' € H' (or its index) which satisfies 

/i'=G' (22) 



Note that there will be one, and only one. such value. Further note that since cis random and independent of s, 
revealing e does not reveal infonnation about s. The con-esponding check that S pert onris is simply to verify equation 
22. 

4. If the checks in equation 22 all pass, then in addition to the transfomnations performed in 1 and 2. S also performs 
the transformation 

G = C (23) 



Anonymous Authentication Protocol 2 

[0118] A shortcoming of the first anonymous authentication protocol is that the set to be shuffled by Fmust always 
be all of K. TTie same transformation (exponentiation) is applied to all publta keys in the set H=K. Since each of the 
transcripts T(H, H\ G, C) must ba stored until all audit requirements are fulfilled, this can create a large amount of data 
if the original set of standard certificates is large. This problem is addressed with the following second anonymous 
authentication protocol. 
[0119] In this variant of the protocol 

• The public keys are pairs of elements {K rt) e (5> x <9)» and the conresponding private keys are simply the secret 
exponents, s = log^^ h, 

• The set H must contain Ps public key. This can be achieved in a variety of ways. 

/. S and P can engage In a series of retries until this property of H Is achieved. 

2. or, at initial registration, standard certificates can be assigned to "blocks, " When F first contacts S, he 
identifies himself only so far as his block number 

[01 20] Effectively, a different base G is set for each individual P. and the individual shuffles only a subset of the entire 
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set of public keys (which subset includes the voter's public private key pair). The protocol proceeds as described in the 
' previous section, with the following modifications. 

1 . The transcript that Is returned to P in step 5a is the shuffle transcript for the set of pairs. See above for the details 
5 of this construction. 

2. The proof of private key knowledge in step 5b, needs to be a bit more complicated in order to avoid revealing the 
private key. 

10 (a) P must indicate to S a particuiar pair, (k\ h')^ H\ oritsindex, which is the riew ir)dex of the pair beionging 

to F$ private l<ey. That is, h'= (^)f (Notice that such a pair exists uniquely since the shuffle operation expo- 
nentiates both the k's and the h's to the same secret exponent c. So /) = it and only if, ff = (/O* ) 
(b) P reveals toSa "zero-lcnowledge proof that he, P, i(nows s = log^/i (See the Chaum articles,) This proves 
that P knows the corresponding private key without revealing it. 
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3. The con-espondlng checks that S must perform are obvious. 

(a) S checks the validity of P's shuffle transcript. 

(b) S checks the validity ofP's proof that he knows that s = log^//. 



[0121] Note: under an alternative embodiment, some or all of the keys In the set K(le., the subset H) may be shuffled 
by certain individuals or authorities before any one Individual requests an anonymous certificate. In other words the pool 
of public keys may be sufficiently randomized before either of the above anonymous authentication protocols are em- 
25 ployed for a particular requesting individual. As a result, a smaller subset of publk: keys may be selected by each individual 
under Protocol 2. 

[01 22] Referring to Figure 6, an example of a routine 600 for Implementing the first variant of the anonymous certificate 
distribution is shown. After Initializing cryptographic parameters in block 302, a standard set of public keys H are provided 
in block 604, whk:h may be collected by a registration server after a set of registrants or voters have each registered 
30 and submitted public keys h (that correspond to individually held private keys s, as shown in block 606). In block 608. 
the subgroup generator g Is set to G. 

[01231 In block 610, an optional randomization perfomied by one or more authorities maybe perfonmed. Under block 
61 0, In sequence, each authority performs a verifiable shuffle on the set of standard publte keys H using (G, C:=GP) as 
a shuffle commitment, where c is a secret key held by the authority. Each authority retums the shuffled set of publte 
35 keys, H\ along with shuffle verification transcript, T{H,H\G,Q by employing the general shuffle described above. If the 
verification transcript is con-ect, then the registration server perfonns the substitutions G=C and H=^H\ and stores the 
previous values, along with the shuffle verification transcript for later auditing purposes. The optional randomization 
under block 610 may be performed as part of the previous initialization, or at any intennediate stage of anonymous 
certificate generation described below. 

[0124] Blocks 612-618 represent a single requestfor an anonymous certificate by an Individual who previously provided 
one of the public keys h In the set H. These steps are repeated for each requesting registrant. In block 61 2. the registrant 
(or more accurately, the voter's computer 102) generates a request for an anonymous certificate. In response thereto, 
the registration server retrieves the value G, and the set of public keys H under blocks 614 and retums them to the 
registrant. In block 616, the registrant computes a shuffle and corresponding verifteation transcript under the general 
45 shuffle protocol described above and returns T (H, H ; G, C) and e (which is equal to cs, known only to the registrant), 
for each index 1 5 / ^ k. Additionally, in block 61 6, the registrant generates a PKI certifteate request with certain random 
ident'tfying information. The random identifying information may be any user ID the registrant chooses to employ that 
cannot be used to identify the registrant Under block 616. the registrant also safely stores a con-esponding private key 
based on this request (which differs from the private key Sj). 
50 [0125] In block 61 8, the registration server checks the shuffle verification transcript and checks that h) = G» If both 
of these checks pass, then the registration server sets H - H' minus the one public key used by the registrant for 
certification [h)), G = C and )c= 7. For auditing purposes, the registration server in block 61 8 also stores the registrant's 
verification transcript (i.e., T(H, H\ G, Q). The registration server also digitally signs the certificate request ft to create 
a PKI certificate that Is returned to the registrant The routine then is ready for the next registrant's request. 
55 [0126] Referring to Figure 7, a routine 700 shows the second variant described above for anonymous certificate 
distribution. The routine 700 is similar to the routine 600. Block 704 is similar to block 604, except that the set H Includes 
public/private key pairs, and may be a proper subset Similariy, block 71 0 is similar to block 61 0, as shown in Figure 7. 
[0127] After receiving a request, the registration server In block 714 retrieves a set H of public key pairs. Under an 
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alternative embodiment, the registration server retrieves only a subset that includes the registrant's public key. In block 
716. the registrant selects a subset of the public key pairs Mand sets M'^ H-M. The registrant computes a shuffle H* 
of M and a corresponding verification transcript (T (M, H\ g. C)). and generates a zero-knowledge proof. Pthat the 
registrant knows a secret exponent s as shown in Figure 7. Additionally, the registrant generates PKI certificate request 
with random identifying infomnation and stores the private key, as described above. 

[0128] In block 718, the registration server checks the shuffle verification transcript and P. If both checks pass, then 
the registration server sets K (with the public key pair (g), h'^ removed under equations{1 8) or (19)) and sets k-k'^. 
The remainder of routine 700 is substantially similar to that of routine 600. 

11. Conclusion 

[0129] One skilled In the art will appreciate that the concepts of the Invention can be used in various environments 
other than the Internet For example, the concepts can be used In an electronic mail environment In which electronic 
mail ballots, transactions, or forms are processed and stored. In general, a web page or display description (e.g., the 
bulletin board) may be in HTML, XML or WAP fomiat, email fomriat, or any other fomiat suitable for displaying infomiation 
(including character/code based fomiats. bitmapped formats and vector based fomiats). Also, various communication 
channels, such as local area networks, wide area networks, or point-to-point dial-up connections, may be used instead 
of the Intemet. TTie various transactions may also be conducted within a single computer environment, rather than in a 
client/server environment. Each voter or client computer may comprise any combination of hardware or software that 
interacts with the server computer or system. These client systems may include television-based systems, Internet 
appliances and various other consumer products through which transactions can be performed. 
[0130] In general, as used herein, a "link" refers to any resource locator identifying a resource on the network, such 
as a display description of a voting authority having a site or node on the network. In general, while hardware platforms, 
such as voter computers, temninals and servers, are described herein, aspects of the invention are equally applicable 
to nodes on the network having con-esponding resource locators to identify such nodes. 

[0131] Unless the context ciearty requires othenwlse, throughout the description and the claims, the words 'comprise', 
'comprising', and the like are to be constmed in an Inclusive sense as opposed to an exclusive or exhaustive sense; 
that Is to say, in the sense of "including, but not limited to". Words using the singular or plural number also include the 
plural or singular number, respectively. Additionally, the words "herein", "hereunder", and words of similar Import, when 
used in this appiteation, shall refer to this application as a whole and not to any particular portions of this application. 
[0132] The above description of illustrated embodiments of the invention is not intended to be exhaustive or to limit 
the invention to the precise fonn disclosed. While specific embodiments of, and examples for, the invention are described 
herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention, as those 
skilled in the relevant art will recognize. The teachings of the invention provided herein can be applied to other encryption 
applications, not only the electronic voting system described above. For example, the protocol has applications in 
electronic commerce where both anonymity and auditability are requirements. Examples of this are electronte payment 
schemes ("e-cash"). 

[0133] The various embodiments described above can be combined to provide further embodiments. All of the above 
references and U.S. patents and applications are incorporated herein by reference. Aspects of the invention can be 
modified, If necessary, to employ the systems, functions and concepts of the various patents and applteations described 
above to provide yet further embodiments of the invention. 

[0134] These and other changes can be made to the invention in light of the above detailed description. In general, 
in the following claims, the terms used should not be construed to limit the invention to the specific embodiments disclosed 
in the specification and the claims, but should be construed to include ail encryption systems and methods that operate 
under the claims to provide data security. Accordingly, the invention is not limited by the disclosure, but instead the 
scope of the invention is to be determined entirely by the claims, 

[0135] While certain aspects of the invention are presented below in certain claim fomns, the inventor contemplates 
the various aspects of the invention in any number of claim fomns. For example, while only one aspect of the invention 
is recited as embodied in a computer-readable medium, other aspects may likewise be embodied in computer-readable 
medium. Accordingly, the inventor reserves the right to add additional claims after filing the application to pursue such 
additional claim fonns for other aspects of the invention. 

The following Is a list of further preferred embodiments of the invention: 

[0136] 

Embodiment 1 . An electronic voting system for use with a computerized network, comprising: 
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a plurality of voting computers coupled to the computerized network, wherein each voting computer provides 
an electronic encrypted ballot, wherein each electronic ballot is encrypted under a discrete log asymmetric 
encryption process using underlying groups Zp or elliptic curve; 

at teast first, second and third authority computers coupled to the computerized network, wherein the first 
authority computer is configured to receive a series of electronic ballots corresponding to an aggregation of 
each of the electronte ballots received from the plurality of voting computers, and to apply a secret, one-way 
cryptographic transformation using at least a first secret key to anonymously shuffle the series of electronic 
ballots and produce a first shuffled series of ballots, wherein only the first authority computer knows a corre- 
spondence between the first series of shuffled ballots and the series of electronic ballots, and wherein the first 
authority computer is further configured to provide a first linear size, non-interactive proof of correctness for the 
first series of shuffled ballots based on a scaled Iterated logarithmic multiplication proof; 

wherein the second authority computer is configured to receive the first series of shuffled ballots, to apply the 
cryptographic transfomnation using at least a second secret key to anonymously shuffle the first series of shuffled 
ballots and produce a second series of shuffled ballots, wherein only the second authority computer knows a 
correspondence between the first series of shuffled ballots and the second series of shuffled ballots, and wherein 
the second authority computer is further configured to provide a second linear size, non-interactive proof of 
correctness for the second series of shuffled ballots based on the scaled iterated logarithmk; multiplication proof; 

wherein the third authority computer is configured to receive the second series of shuffled ballots, to apply the 
cryptographic transfomiation using at least a third secret key to anonymously shuffle the second series of 
shuffled ballots and produce a third series of shuffled ballots, wherein only the third authority computer knows 
a con-espondence between the third series of shuffled ballots and the second series of shuffled ballots, and 
wherein the third authority computer is further configured to provide a third linear size, non-interactive proof of 
correctness forthe third series of shuffled ballots based on the scaled iterated logarithmic multiplication proof; and 

a verification computer coupled to the computerized networtc, wherein the verification computer is configured 
to receive the proofs of con^ectness from the first, second and third authority computers and without interacting 
with the first, second and third authority computers, to verify a correctness of the shuffled ballots. 

Embodiment 2. The system of embodiment 1 , further comprising: 

a server computer system coupled to the computerized network, wherein the server computer system Is con- 
figured to: receive the plurality of electronic ballots from the plurality of voting computers; verify a proof of validity 
of each of the plurality of electronic ballots; fonn an encrypted tally of the votes from the plurality of electronic 
ballots; transmit the encrypted tally to the first, second and third authority computers; receive ballot decryption 
shares produced from at least two of the first, second and third authority computers; and compute a decrypted 
tally; and 

at teast one voting poll computer coupled to the computerized networi^ and providing some of the plurality of 
electronic encrypted ballots to the server computer system. 

Embodiment 3. The system of embodiment 1 wherein the first, second and third authority computers are configured 
to provide Chaum-Pedersen proofs forthe first, second and third shuffles of the ballots, respectively, and wherein 
each of the first, second and third authority computers generate an initial challenge series, receive a challenge from 
at least one verification computer, and generate the cryptographic transformation based on an exponentiation of 
the Initial and received challenges. 

Embodiment 4. The system of embodiment 1 wherein the computerized network includes the World Wide Web, 
wherein each of the plurality of voting computers and first, second and third authority computers include a web 
browser program. 

Embodiment 5. The system of embodiment 1 wherein the plurality of voter computers Include at least one palm-sized 
computer, cell phone, wearable computer, interactive television terminal or Internet appliance. 

Embodiment 6. A computer system for receiving a sequence of elements, comprising: 
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a server computer coupled to a computer network and configured to: 

receive a sequence of electronic data elements representing individual data files, 

apply a cryptographic transfomnation using at least a first secret key to anonymously pemnute the sequence 
of electronic data elements and produce a first shuffled sequence of electronic data elements, wherein the 
server computer knows a con-espondence between the first shuffled sequence of electronic data elements 
and the sequence of electronic data elements, and generate a first linear size proof of correctness for the 
first shuffled sequence of electronic data elements based on a scaled iterated logarithmic multiplication proof. 

Embodiment 7. The system of embodiment 6 wherein the received sequence of electronk: data elements are en- 
crypted using Zp or elliptic cun/e groups using a key unknown to the server computer, and wherein the server 
computer is further configured to: 

receive a series of randomly generated values e/from a verifier computer; 

secretly generate a series of values t;,- based on a secret, one-way cryptographic transformation that employs 
the received series of values e,-afid secretly generated values 

Ui pemnute the sequence of electron^ data elements to produce the first shuffled sequence of elements 
based on the series of values Uj and a secret value and 

provide the values Uj and a series of proof values based on the cryptographic transfonnation as a proof of 
knowledge that the sen^ercomputer has access to how the cryptographte transfonnation permuted the sequence 
of electronic data elements to produce the first shuffled sequence of elements without revealing the cryptographs 
transformation to the verifier computer. 

Embodiment 8. The system of embodiment 6 wherein the server computer is further configured for 

receiving a plurality of public keys from a corresponding plurality of individuals, wherein each of the plurality of 
Individuals have a private key con'espondlng to one of the plurality of public keys; 

receiving a request for a certificate from one of the plurality of Individuals having a one private key; 

providing at least a subset of the plurality of public keys to the requesting individual; 

receiving a shuffle of the plurality of public keys and a linear size proof of correctness for the shuffled public 
keys based on a scaled iterated logarithmic multiplication proof and a value corresponding to the one private 
key, wherein the value provides proof that the one individual has knowledge of the one private key without 
revealing the one private key; 

checking the proof of correctness; 

checking that the value is mathematically related to a one of the public keys that corresponds to the one private 
key; 

issuing a certificate to the one individual; and 

reducing the plurality of public keys by the one public key. 

Embodiment 9. The system of embodiment 6 wherein the sequence of electronic elements are public keys, and 
wherein the server if further configured to check, in response to a request from an individual, that the Individual has 
a value uniquely and mathematically related to a one of the public keys; and 
if so, issue a certificate to the one individual. 

Embodiment 1 0. A computer-implemented method, comprising: 
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receiving a plurality of public keys from a corresponding plurality of individuals, wherein each of the plurality of 
individuals have a private key con^esponding to one of the plurality of public keys; 

receiving a request for a certificate from one of the plurality of individuals having a one private key; 

providing at least a subset of the plurality of public keys to the requesting individual; 

receiving a shuffle of the plurality of public keys and a linear size proof of correctness for the shuffled publte 
keys based on a scaled iterated logarithnnic multiplteation proof and a value con^esponding to the one private 
key, wherein the value provides proof that the one individual has knowledge of the one private key without 
ravealing the one private key; 

checking the proof of correctness; 

checking that the value is mathematically related to a one of the public keys that corresponds to the one private 
key; 

issuing a certificate to the one individual; and 

reducing the plurality of public keys by the one publk: key. 

Embodiment 1 1 . The method of embodiment 1 0 wherein the method further includes setting a value Gto a subgroup 
operator gfrom an or elliptic curve group, wherein providing at least a subset of the plurality of public keys Includes 
providing all of the then current public keys H. 

Embodiment 12. The method of embodiment 10 wherein providing at least a subset of the plurality of public keys 
includes providing at least a subset of a plurality of public key pairs, wherein receiving a shuffle of the plurality of 
public keys Includes receiving a shuffle of a true subset of the plurality of public key pairs as selected by the one 
Individual. 

Embodiment 13. The method of embodiment 10, further comprising: 

receiving from each of a plurality of authorities, in sequence, a shuffled set of the plurality of public keys H' 
based on a secret cryptographic shuffle operation perfomned on at least a subset of the plurality of public keys 
to produce the shuffled set of the plurality of public keys H*; 

receiving from each of a plurality of authorities, in sequence, a verification transcript of the cryptographic shuffle 
operation; and 

verifying a correctness of the cryptographic shuffle operation based on the verification transcript ; and if verified, 
then setting at least a subset of the plurality of public keys to Hto H\ 

Embodiment 14. The method of embodiment 10, further comprising: 

at a time after receiving at least some of the plurality of public keys, setting at least a subset of the then received 
plurality of public keys to a received shuffled set of the plurality of public keys, wherein the shuffled set of the 
plurality of public keys have been received from a third party. 

Embodiment 15. The method of embodiment 10, further comprising : receiving the issued certificate from the one 
of the plurality of individuals; 

and providing an electronic ballot to the one individual. 

Embodiment 16, The method of embodiment 10 wherein issuing a certificate includes digitally signing the received 
request to produce a public key infrastojcture fPKr) certificate. 

Embodiment 1 7. The method of embodiment 1 0, further comprising: 

receiving issued certificates from at least some of the plurality of individuals and providing Initial electrenk: 
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ballots in response thereto; and 

receiving unencrypted voted ballots from the at least some of the plurality of individuals. 

Embodiment 1 8. A computer-implementedcryptographic method between a prover computer and a verifiercomputer, 
the method comprising: 

selecting a subgroup generator g selected from a group G; 

secretly generating a prover key c, and a commitment value C based on the subgroup generator g; 

secretly establishing a cryptographic relationship between first and second sequences of elements; 

providing to the verifier computer the commitment C and the first and second sequences of elements, but not 
the cryptographic relationship; 

computing a series of proof values based on the cryptographic relationship; and 

providing the series of computed proof values to the verifier computer as a non-interactive proof of knowledge 
that the prover computer has access to the cryptographic relationship without revealing the cryptographic rela- 
tionship to the verifier computer. 

Embodiment 19. The method of embodiment 18 wherein at least the second sequence of elements is a sequence 
of encrypted ballots, wherein each ballot is encrypted using Zp or elliptic curve groups; 
wherein the first and second sequences of elements are respectively 

wherein the first and second sequence of elements have the cryptographic relationship 

(g".....r)=(^,. •.^») 
ig\...,g^)=(Y, n) 



and where 



and wherein computing and providing the series of proof values 1 ncludes providing Chaum-Pedersen proofs based on: 
for each O^i^k generate random r/ 
for each 1 ^ i<,kv\/j = rju/r^^ 

Zj = fif" wherein the Chaum-Pedersen proofs provided to the verifier computer are of a fornn: 
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Embodiment 20. The method of embodiment 18, further comprising: 

pemnuting the first sequence of elements to produce the second sequence of elements based on a cryptographic 
transformation; 

receiving a randomly generated value t from the verifier computer; 

secretly generating a value Tbased on the received value f and the subgroup generator, and secretly generating 
a value S based on the received value t and the prover key c; and 

wherein computing and providing to the verifier computer the series of proof values includes providing a series of 
values based on the cryptographic transfomnatlon as a proof of knowledge that the prover computer has access to 
how the cryptographic transfonnation pennuted the first sequence of elements to produce the second sequence of 
elements without revealing the cryptographic transfonnation to the verifier computer. 

Embodiment 21 . The method of embodiment 18, further comprising: 

pemriuting the first sequence of elements to produce the second sequence of elements based on a cryptographte 
transformation in a form of 

(g"''' r-^'o^cn n) 

receiving a randomly generated value f from the verifier computer; 

secretly generating a value Tbased on raising the subgroup generator g to the received value and secretly 
generating a value S based on raising the value Tto the prover key c, and 

wherein computing and providing to the verifier computer the series of proof values includes providing a series 
of values based on the cryptographic transfomnatlon In a fonri of: 

as a proof of knowledge that the prover computer has access to how the cryptographte transformation penmuted 
the first sequence of element to provide the second sequence of elements without revealing the cryptographic 
transfomnation to the verifier computer. 

Embodiment 22. The method of embodiment 18, further comprising: 

receiving the first sequence of elements as a set of elements that have previously been pemnuted in a manner 
unknown to the prover computer; 

receiving a series of randomly generated values e/from the verifier computer; 

secretly generating a series of values Uf based on a secret cryptographte transfonmation that employs the 
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received series of values and secretly generated values 

permuting the second sequence of elennents with respect to the first sequence of elements based on the series 
of values Uj and a secriat value d; and 

wherein computing and providing to the verifier computer the series of proof values includes providing the resulting 
values Uf and providing a series of proof values based on the cryptographic transfomnation as a proof of knowledge 
that the provercomputer has access to how the cryptographic transformation permuted the first sequence of element 
to provide the second sequence of elements without revealing the cryptographic transfomnation to the verifier com- 
puter. 

Embodiment 23. The method of embodiment 18, further comprising: 

receiving the first sequence of elements as a set of elements that have previously been penmuted in a manner 
unknown to the prover computer; 

receiving a series of randomly generated values from the verifier computer; 

secretly generating a series of values Uf based on a secret cryptographic transfomiation of a fomi 



pennuting the second sequence of elements with respect to the first sequence of elements based on the series 
of values Uj and a secret value d based on the following operations 



and wherein computing and providing to the verifier the series of proof values includes providing the resulting 
values Uf, 



B=m 
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and for 1 ^ /' 2 A providing a series of proof Chaunri-Pedersen of a fomi 

and a Chaum-Pedersen proof for (D, A, 6) as a proof of knowledge that the prover computer has access to 
how the cryptographic transformation permuted the first sequence of element to provide the second sequence 
of elements without revealing the cryptographic transformation to the verifier computer. 

Embodiment 24. The method of embodiment 23, further comprising repeating the receiving the first sequence of 
elements, receiving a series of randomly generated values, secretly generating a series of values, and pemnuting 
the second sequence of elements for /-tuple of elements in the first sequence of elements. 

Embodiment 25. The method of embodiment 22 wherein receiving the first sequence of elements includes receiving 
a subset of a set of identifying elements, wherein each identifying element in the set con^sponds to an individual, 
and wherein the method further comprises: 

receiving an anonymous certificate if the verifying computer verifies the series of proofs. 

Embodiment 26. The method of embodiment 18 wherein the group G is Zp. 

Embodiment 27. The method of embodiment 18 wherein the group G is an elliptic curve group. 

Embodiment 28. A computer-readable medium whose contents provide instructions, when implemented by a com- 
puter, perfomn a shuffling of a sequence of electronic data elements, comprising: 

receive the sequence of electronic data elements; 

apply a secret, one-way cryptographic transfomnatlon using at least a first secret key to anonymously pennute 
the sequence of electronic data elements and produce a first shuffled sequence of electronic data elements; and 

generate a first linear size, non-interactive proof of con-ectness for the first shuffled sequence of electronk; data 
elements based on a scaled iterated logarithmic multiplication proof. 

Embodiment 29. The computer-readable medium of embodiment 28 wherein the received sequence of electronic 
data elements are encrypted with an underlying mathematical group being a ring of integers having a modulus 
Integer value p(Zp), 

Embodiment 30. The computer-readable medium of embodiment 28 wherein the computer-readable medium is a 
logical node in a computer network receiving the sequence of electronic data elements and the contents. 

Embodiment 31. The computer-readable medium of embodiment 28 wherein the computer-readable medium is a 
computer-readable disk. 

Embodiment 32. The computer-readable medium of embodiment 28 wherein the computer-readable medium is a 
data transmission medium transmitting a generated data signal containing the contents. 

Embodiment 33. The computer-readable medium of embodiment 28 wherein the computer-readable medium is a 
memory of a computer system. 

Embodiment 34. The computer-readable medium of embodiment 28 wherein the computer-readable medium is an 
Internet connection link to a voting authority server computer. 

Embodiment 35. In a cryptographic method, a transmitted signal for use by a computer, comprising: 

a shuffled sequence of electronic data elements representing Individual data files, wherein a one-way crypto- 
graphic transfonnation using at least a first secret key anonymously pemrtuted an input sequence of electronic 
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data elements to produce the shuffled sequence of electronic data elements, and 

a linear size proof of correctness for the shuffled sequence of electronic data elements based on a scaled 
iterated logarithmic multiplication proof. 

5 

Important Note: 

[0137] While the attached claims relate to a preferred aspect of the present invention, the applicant wishes to reserve 
the right to file one or several further divisional applications at a later point in time for other aspects disclosed in the 
10 application. Those further applications will be divided out from the present divisional application. By this statement, the 
public is herewith infonmed that more divisional applications relating to different subject matter may follow. 



Claims 

IS 

1. A computer system (1 14) for receiving a sequence of elements, comprising: 

a server computer (114) coupled to a computer network (106) and configured to: 

20 receive a sequence of electronic data elements representing individual data files, 

apply a cryptographic transformation using at least a secret key to anonymously pemiute the sequence of 
electronic data elements and produce a shuffled sequence of electronic data elements, wherein the server 
computer (114) knows a correspondence between the shuffled sequence of electronk; data elements and 
the sequence of electronic data elements, 

25 

characterized In that said server computer (114) is further configured to: 

generate a proof of con-ectness for the pemnutation based on a proof that the product of unencrypted values of 
elements of a first sequence of encrypted data elements is equal to the product of unencrypted values of 
30 elements of a second sequence of encrypted data elements. 

2. The system of claim 1 wherein the received sequence of electronk: data elements are encrypted using Zp or elliptic 
curve groups using a key unknown to the sender computer (114), and wherein the server computer (114) is further 
configured to: 

35 

receive a series of randomly generated values 6/ from a verifier computer (130); and 

generate the proof of con-ectness as an non-interactive proof based at least in part on at least some of the 

randomly generated values 

40 3. The system of claim 1 wherein the server computer (1 14) is further configured for 

receiving a plurality of public keys from a corresponding plurality of individuals, wherein each of the plurality of 
individuals have a private key con-esponding to one of the plurality of public keys; 
receiving a request for a certificate from one of the plurality of individuals having 
^ a one private key; providing at least a subset of the plurality of public keys to the requesting individual; 

receiving a shuffle of the plurality of public keys and a non-interactive proof of correctness for the penmutation 
based on a proof that the product of unencrypted values of elements of a first sequence of encrypted data 
elements is equal to the product of unencrypted values of elements of a second sequence of encrypted data 
elements; 

50 checking the proof of correctness; 

issuing a certificate to the one individual; and 

reducing the plurality of public keys by the one public key. 

4, The system of claim 1 wherein the sequence of electronic elements are public keys, and wherein the server (114) 
55 if further configured to check, in response to a request from an individual, that the Individual has a secret key uniquely 

and mathematically related to a one of the public keys; and 
if so, Issue a certificate to the one individual. 
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5. The system of claim 1 wherein the sequence of electronic data elements is a sequence of ballot choices under an 
electronic election. 

6. The system of claim 1 wherein the proof of correctness proves that given the sequence of electronic data elements 
and the produced shuffled sequence of electronic data elements, there exists a permutation such that for every 
decrypted element In the sequence of electronic data elements there exists a con^esponding permuted decrypted 
element in the produced shuffled sequence of electronic data elements. 

7. A computer-readable medium whose contents store a sequence of electronic data elements and associated data, 
wherein the sequence of electronic data elements are processed by a computer-implemented method for a shuffling 
of the sequence of electronb data elements, the method comprising: 

receiving the sequence of electronic data elements; 

applying a secret, one-way cryptographic transformation using at least afirst secret key to anonymousty permute 
the sequence of electronic data elements and producing a first shuffled sequence of electronic data elements, 

characterized by further comprising: 

generating a proof of correctness for the pemnutatlon based on a proof that the product of unencrypted values 
of elements of a first sequence of encrypted data elements Is equal to the product of unencrypted values of 
elements of a second sequence of encrypted data elements. 

8. The computer-readable medium of dalm 7 wherein the received sequence of electronic data elements are encrypted 
with an underlying mathematical group being a ring of integers having a modulus integer value p(Zp). 

9. The computer-readable medium of claim 7 wherein the computer-readable medium is logical node in a computer 
network receiving the sequence of electronic data elements and the proof of con^ectness. 

10. The computer-readable medium of claim 7 wherein the computer-readable medium is computer-readable disk. 

11. The computer-readable medium of claim 7 wherein the computer-readable medium is a data transmission medium 
transmitting a generated data signal containing the seq uence of electronic data elements and the proof of correctness. 

12. The computer- readable medium of claim 7 wherein the computer-readable medium is a memory of a computer 
system. 

13. The computer-readable medium of claim 7 wherein the computer-readable medium is an Intemet connection link 
to a voting authority server computer. 

1 4. The computer-readable medium of claim 7 wherein the electronic data elements include at least publto keys or digital 
certifteates associated with public keys. 

15. The computer-readable medium of claim 7 wherein the sequence of electronic data elements are electronic ballots 
or electronic ballot choices. 

16. A computer-Implemented method for perfomning a shuffling of a sequence of electronic data elements, comprising: 

providing a request from a computer associated with one private key corresponding to one public key of multiple 
public keys, wherein each of the multiple public keys con-esponds to one of multiple private keys; 
receiving a shuffled set of at least some of the multiple public keys; and 

producing a new shuffled set of the multiple public keys and a proof of correctness for the shuffling, wherein 
the proof of con-ectness Is based on a proof that the product of unencrypted values of elements of a first sequence 
of encrypted data elements Is equal to the product of unencrypted values of elements of a second sequence 
of encrypted data elements. 

17. The method of claim 1 6, further comprising: 

providing a file; and 
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producing the proof of correctness for the new shuffled set of public keys based on a non-interactive proof that 
the product of unencrypted values of elements of the first sequence of encrypted data elements is equal to the 
product of unencrypted values of elements of a second sequence of encrypted data elements. 

5 18, The computer-readable medium of dalm 7 wherein the received sequence of electronic data elements are encrypted 
with an underlying elliptic curve group. 

19. The computer-readable medium of claim 7 wherein the proof of con-ectness is a non-interactive proof of correctness. 

10 20. The system of claim 1 wherein the proof of correctness for the permutation is based on a proof that one polynomial 
defined by a first sequence of encrypted linear factors is equal to a constant multiple of a second polynomial defined 
by a second sequence of encrypted linear factors. 

21 , An electronic voting system for use with a computerized network, comprising: a plurality of voting computers coupled 

15 to the computerized network, wherein each voting computer provides an electronic encrypted ballot, wherein each 

electronic ballot is encrypted under a discrete log asymmetric encryption process using underiying groups Zp or 
elliptic cun/e; at least first, second and third authority computers coupled to the computerized networi<, wherein the 
first authority computer is configured to receive a series of electronic ballots corresponding to an aggregation of 
each of the electrons ballots received from the plurality of voting computers, and to apply a secret, one-way cryp- 

20 tographic transfomnation using at least a first secret key to anonymously shuffle the series of electronic ballots and 

produce a first shuffled series of ballots, wherein only the first authority computer knows a correspondence between 
the first series of shuffled ballots and the series of electronic ballots, and wherein the first authority computer is 
further configured to provide a first linear size, non-interactive proof of con-ectness for the first series of shuffled 
ballots based on a scaled iterated logarithmic multiplication proof; wherein the second authority computer is con- 

25 figured to receive the first series of shuffled ballots, to apply the cryptographic transfonnation using at least a second 

secret key to anonymously shuffle the first series of shuffled ballots and produce a second series of shuffled ballots, 
wherein only the second authority computer knows a con-espondence between the first series of shuffled ballots 
and the second series of shuffled ballots, and wherein the second authority computer is further configured to provide 
a second linear size, non-interactive proof of correctness for the second series of shuffled ballots based on the 

30 scaled iterated logarithmic multiplication proof; wherein the third authority computer Is configured to receive the 

second series of shuffled ballots, to apply the cryptographic transfonnation using at least a third secret key to 
anonymously shuffle the second series of shuffled ballots and produce a third series of shuffled ballots, wherein 
only the third authority computer knows a con-espondence between the third series of shuffled ballots and the second 
series of shuffled ballots, and wherein the third authority computer is further configured to provide a third linear size, 

35 non-interactive proof of correctness for the third series of shuffled ballots based on the scaled iterated logarithmk: 

multiplication proof; and a verification computer coupled to the computerized network, wherein the verification com- 
puter is configured to receive the proofs of corectness from the first, second and third authority computers and 
without interacting with the first, second and third authority computers, to verify a con-ectness of the shuffled ballots. 

40 22. A computer system for receiving a sequence of elements, comprising: a server computer coupled to a computer 
networtc and configured to: receive a sequence of electronte data elements representing individual data files, apply 
a cryptographic transfonnation using at least a first secret key to anonymously pennute the sequence of electronic 
data elements and produce a first shuffled sequence of electronic data elements, wherein the server computer 
knows a con-espondence between the first shuffled sequence of electronic data elements and the sequence of 

^5 electronic data elements, and generate a first linear size proof of con-ectness for the first shuffled sequence of 

electronic data elements based on a scaled iterated logarithmic multiplication proof. 

23. A computer-implemented method, comprising: receiving a plurality of public keys from a corresponding plurality of 
individuals, wherein each of the plurality of individuals have a private key corresponding to one of the plurality of 

50 publk: keys; receiving a request for a certificate from one of the plurality of individuals having a one private key; 

providing at least a subset of the plurality of public keys to the requesting individual; receiving a shuffle of the plurality 
of public keys and a linear size proof of correctness for the shuffled public keys based on a scaled iterated logarithmic 
multiplication proof and a value corresponding to the one private key, wherein the value provides proof that the one 
Individual has knowledge of the one private key without revealing the one private key; checking the proof of correct- 

55 ness; checking that the value is mathematically related to a one of the public keys that con-esponds to the one 

private key: issuing a certificate to the one individual; and reducing the plurality of public keys by the one public key, 

24. A computer-implemented cryptographic method between a prover computer and a verifier computer, the method 
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comprising: selecting a subgroup generator g selected from a group G; secretly generating a prover key c, and a 
commitment value C based on the subgroup generator g; secretly establishing a cryptographic relationship between 
first and second sequences of elements; providing to the verifier computer the commitment C and the first and 
second sequences of elements, but not the cryptographic relationship; computing a series of proof values based 
5 on the cryptographic relationship; and providing the series of computed proof values to the verifier computer as a 

non-Interactive proof of l^nowledge that the prover computer has access to the cryptographic relationship without 
revealing the cryptographic relationship to the verifier computer. 

25, A computer-readable medium whose contents provide instructions, when implemented by a computer, perform a 
10 shuffling of a sequence of electronic data elements, comprising: receive the sequence of electronic data elements; 

apply a secret, one-way cryptographic transformation using at least a first secret key to anonymously pemnute the 
sequence of electronic data elements and produce afirst shuffled sequence of electronic data elements; and generate 
a first linear size, non-interactive proof of con-ectness for the first shuffled sequence of electronic data elements 
based on a scaled iterated logarithmic multiplication proof. 



26. In a cryptographic method, a transmitted signal for use by a computer, comprising; a shuffled sequence of electronc 
data elements representing individual data files, wherein a one-way cryptographic transfomriation using at least a 
first secret key anonymously permuted an input sequence of electronic data elements to produce the shuffled 
sequence of electronic data elements, and a linear size proof of con-ectness for the shuffled sequence of electronic 
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data elements based on a scaled iterated logarithmic multiplication proof. 
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as the shuffle commilmeflt, and returns the shuffled set, K\ along with the shuffle 
verification tronscript, T(KJ['.G.C) 

If tha verificotion tronseripf is cofreet. Registration Sei>er performs the substlhition 

and stores the previous volues, along with the shuffle verification transcript for audit 
pwposes. 

(This con be performed as porf of inltiallzationi and/or, at ony intermediate stage of 
anonymous certificate distribution.) 



Anonymous Certificote Request and Ganarflfion Phose (each reaislront in tum) 



Regisfrant ^612 



Generate Request 



anonymous authentication request 



R89lstratlQn Server 



jyfcontoins registrant's public key) 



T{M,Bt,g,C),P 



S:m Ceriitoli Request 



t) Select subset if«=ir 
of sizel'^lrond set 

2) Compute shuffle, H', 

of M and venficotion tronscript 

3) Generate zero knowledge proof. P 
that registrant knows exponent s such 

thot {gjy = Ay € jy'for specified Index,! i/i^ 

4) Generate PKi Cerfificate Reauest , 
with 'random identifying informotion 

5) Safely store private key 
correspcnding to this cerfificate request 

^ 
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y^714 



Retrieve H 
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m 



deny request 



1) Check shuffle verification transcript 

2) Check f 

H both checks poss 

3) Set K^I\ilt\}{H'-\[g'ph'j)\) 

for oudit purposes 

5) Digitally sign thereby creating 

PKI Certificate. fl(i?) 
Clse^ if any cheek foils 



Loop to beginning of this phose (reody for next ononymous outhentication request) 



